Fourth EU AML Directive Transposed Into Irish Law

The Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Act 2018 (the ‘Act’), which transposes most of the Fourth EU Money Laundering Directive (2015/849) (‘MLD4’) into Irish law, was enacted on 14th November 2018 and all but one provision was commenced with effect from 26th November 2018.

Risk Assessment

The Act requires that a business risk assessment must include factors such as customer base, products, services and transactions and geographic risk. It must also take account of the National Risk Assessment, any guidance issued by the Central Bank of Ireland (‘CBI’) and guidelines issued by the European Supervisory Authorities. The Act creates a new offence of failing to comply with these requirements. The business risk assessment must be reviewed and approved by senior management, kept up to date, and be available to the CBI on request. The Act also includes Schedules listing factors which must be taken into account when conducting the business risk assessment.

Customer Due Diligence

Risk Assessment

The obligation to perform a risk assessment now applies in respect of all customers (i.e. certain exemptions previously available have been removed). This risk assessment must be conducted with reference to various factors, including the factors within the business risk assessment. The purpose of an account or relationship and its intended duration must be considered, as well as the size of an intended transaction and the intended frequency of transactions. Schedule 3 of the Act sets out a non-exhaustive list of factors that may indicate a lower money laundering/terrorist financing (‘ML/TF’) risk, while Schedule 4 sets out a similar list of factors that indicate higher ML/TF risk. Simplified CDD (‘SCDD’) may be applied where the customer or transaction is assessed to present lower ML/TF risk, however, the basis for the decision to apply SCDD must be recorded and the relationship must be subject to ongoing monitoring.

Enhanced CDD (‘ECDD’) must be applied to politically exposed persons (‘PEPs’) regardless of residence (i.e. Irish-resident PEPs are no longer exempt) and when dealing with a customer resident or established in a third (i.e. non-EU) country which has been designated by the European Commission as being high risk due to strategic deficiencies in its anti-money laundering/countering the financing of terrorism (‘AML/CFT’) regime. Additionally, ECDD is required for correspondent relationships with third country credit or financial institutions, or when a relationship or transaction presents a higher degree of ML/TF risk.

Monitoring

The definition of ‘monitoring’ has been updated so that it includes a requirement to keep CDD up to date. There is also a requirement to perform CDD where a customer’s circumstances have changed and this is warranted by the associated ML/TF risk.

Timing of CDD

Financial Institutions such as investment funds are not permitted to process transactions prior to the completion of CDD measures.

Scope of CDD

The Act introduces a new requirement to verify the identity of a person purporting to act on behalf of a customer.

Complex Transactions and Unusual Transactions

The Act creates a new offence of failing to comply with the requirement to examine complex or unusually large transactions or unusual patterns and to apply enhanced monitoring accordingly.

Definition of Beneficial Ownership

The definitions of beneficial ownership in relation to corporate bodies and trusts or similar arrangements have been substantively amended.

The definition of ‘beneficial owner’ in relation to bodies corporate has been updated to align with that in MLD4. This is the definition of beneficial owner which is used in the creation of beneficial ownership registers, and which requires the names of ‘senior managing officials’ to be identified as beneficial owners where it has not been possible to identify a beneficial owner through direct or indirect ownership.

The definition of ‘beneficial owner’ in relation to trusts and other unincorporated entities has been updated such that a 25% threshold will no longer apply, and the settlor, trustee and protector (or equivalent positions) as well as beneficiaries will be identified as beneficial owners.

Reliance on Third Parties

With the removal of the list of ‘equivalent’ jurisdictions, there is expanded scope to rely on third parties in third countries, provided those third parties are supervised for compliance with standards equivalent to those required under MLD4. This includes the possibility of relying on third parties in high risk third countries where these are subsidiaries of ‘obliged entities’ within the EU and apply the group policies of their EU parent.

Policies, Controls and Procedures

The areas which policies, controls and procedures are required to deal with are now more detailed and prescriptive, and include for example a requirement to describe measures taken to identify emerging risks. Policies, controls and procedures must be approved by senior management and kept up to date. In preparing these policies, regard to any guidelines issued by the CBI must be taken into account.

Record Keeping

There is now a requirement to delete personal data upon expiry of the 5 year retention period where that data is being retained solely for AML/CFT purposes. However, the Irish Police may direct that records are retained beyond the 5 year period where this is deemed necessary for the investigation or prosecution of ML/TF.

Correspondent Relationships and Relationships with Shell Banks

Investment funds are now required to perform specific ECDD measures prior to entering into financial arrangements (‘correspondent relationships’) with other such institutions outside of the EU. Correspondent relationships include relationships established for securities transactions. Additionally, the prohibition on entering into correspondent relationships with shell banks has been extended to include investment funds.

Enforcement

The Financial Intelligence Unit of the Irish Police is referred to as ‘FIU Ireland’ within the Act and has been empowered to carry out all the obligations of an EU Financial Intelligence Unit under MLD4. It will have access to national central registers of beneficial ownership, and has gained new powers to request information from ‘any person’, including Competent Authorities (i.e. regulatory bodies) and the Revenue Commissioners. FIU Ireland has also been empowered to share information with other EU FIUs.

More stringent obligations in relation to the group-wide application of AML/CFT policies are now in force, and the CBI may request an entity to close down its third-country operations where the AML/CFT controls in respect of those operations are deemed to be insufficient.

Additionally the CBI may direct a Financial Institution (or class of Financial Institutions) to appoint a Compliance Officer or a person with primary responsibility for AML/CFT matters.

Monetary Penalties

The limits for pecuniary sanctions that may be imposed by the CBI in respect of breaches of the provisions of the Act are set as follows:

Breach by a credit institution or financial institution:

Greatest of: €10 million; twice the amount of any benefit derived from the breach; 10% of turnover for the last complete financial year.

Breach by a ‘designated person’ (i.e. any natural person subject to the provision of the Act):

Greater of: €1 million; twice the amount of any benefit derived from the breach.

Breach by a natural person involved in the management of a regulated entity (excluding where the designated person is a Credit Institution or Financial Institution):

Greater of: €1 million; twice the amount of any benefit derived from the breach.

Breach by a natural person involved in the management of a credit institution or financial institution):

Greater of: €5 million; twice the amount of any benefit derived from the breach.

Registers of Beneficial Ownership

Certain provisions of MLD4 with respect to registers of beneficial owners for corporate entities were transposed into Irish law in November 2016. The Act does not provide the legislation required to create a national central register of beneficial ownership which will be operated by the Companies Registration Office but regulations dealing with this are expected by the end of 2018. The Fifth EU Money Laundering Directive (2018/843), which was published on 19th June 2018, requires that the general public will have access to the central register for corporate entities and also pushes out the deadline for creation of the central register until January 2020. The requirements of MLD4 and the Fifth EU Money Laundering Directive regarding the register of beneficial ownership for trusts is being dealt with separately by the Department of Finance.